Federal Trade Commission site instructs victims of identity theft on the steps to take after being scammed, from placing a fraud alert on credit reports to filing reports with local and federal authorities.

WHO’S IN YOUR WALLET?

Kathleen Drew is a two-time victim of digital pickpockets.
Drew, a jewelry designer from Boston, had a pair of her credit card accounts hacked into during the past three years, and was forced to order replacement cards and set up automatic payments for up to 15 monthly bills.

“It was an aggravation that I didn’t need,” she said.

What’s a hassle for Drew and thousands of other Massachusetts residents each year is a small piece of the picture for the retail and banking industries and their intermediaries, the credit card processors, which handled an estimated $2 trillion in card transactions last year.

How bank cards work

Swiping your card sets this process into motion

There’s a complex behind-the-scenes process every time you buy something with a credit card, even though it usually only takes a matter of seconds to complete:

A transaction begins when a customer presents a card to pay for a purchase. Bank cards can come in several varieties, including credit cards issued by national banks and debit cards issued by local banks. The magnetic strip on the back of the card stores the information that identifies the cardholder account number, name, and card’s expiration date.

At most stores, the consumer’s card is swiped and the transaction amount is entered. A machine at the cash register electronically reads the cardholder’s account information. Through a phone line connected to the back of the machine, the terminal dials out to the processing network for authorization to complete the transaction.

A similar process occurs on a retailer’s Web site, except the consumer must enter in the data that would normally be picked up by a card reader in a store. Most retailers use an encrypting protocol known as SSL, short for “Secure Sockets Layer.” An encrypted Web site is easy to spot - the start of the address will change from “http” to “https,” and, if you’re using Netscape, a padlock icon appears.

The processing network is responsible for translating and delivering the electronic information sent from the checkout aisle. The transaction data is first routed to the issuing bank for authorization of the cardholder’s account, with the appropriate data then sent to a processing bank as well as back to the terminal.

The consumer’s issuing bank verifies that the account is valid and the sale is within the cardholder’s available credit limit. This triggers the network to send an approval code back to the retailer’s terminal so the transaction can be completed. Transaction details appear on the cardholder’s next account statement.

The completed transaction is saved in the point-of-sale terminal until the business closes out the current batch of stored transactions. This process, called “batching out,” generally occurs automatically at the end of each day.

Sources: National Federation of Independent Business, Smart Computing

“The amount of fraud is such a tiny proportion of the total transactions that the banks and the credit card companies regard it as a cost of doing business,” said Lewis Mandell, a University of Buffalo finance professor.

But now banks, which are liable for absorbing an estimated $2 billion a year in phony charges, are pushing for new state and federal laws and pressuring credit card companies to fine merchants that violate industry security practices.

Nearly 4,000 Bay State residents reported identity thefts in 2005, according to the Federal Trade Commission. Credit card fraud accounted for 34 percent of the cases.

The high-profile nature of recent cases such as the potential theft of millions of TJX Cos. customers’ credit card data has raised new questions about how well retailers safeguard their customers’ information.

“When you’re dealing with electronic systems, there’s such massive information in one place,” said Steve Kenneally, director of payment and technology policy for America’s Community Bankers, “For thieves, it’s a target-rich environment.”

Retailers select a bank that acts as an “acquirer” to process its credit and debit transactions. The banks or subcontractors install the card readers in stores. Information from card swipes - typically the card number and customer’s name - can be stored within the store, at the retailer’s headquarters or on a third-party data provider’s servers.

“Security for retailers is remarkably expensive and the problem is, it is very much akin to a consumer buying life insurance or major medical insurance,” said Evan Schuman, retail technology editor for eWeek.com. “If they go a year without having an accident or major incident, they think, ‘I wasted all that money.’”

Conflicting strategies

Investing in tighter security runs counter to retailers’ strategies of expanding their points of sale, as they experiment with new technologies, such as payments by cell phone.

“There are so many points where someone can get into your system,” Schuman said. “You’ve got to protect all of those points. But you have to allow your consumers to get in.”

Following the 2004 theft of roughly eight million BJ’s Wholesale Club members’ credit or debit card information, the Massachusetts Bankers Association formed a task force that recommended a series of ways to tighten security.

Among them: timely notification of affected customers, liability for retailers, full reimbursement to banks for the cost of reissuing cards, and stronger data encryption standards.

Based upon the recent TJX security breach, it appears few of the steps have been adopted, said Bruce Spitzer, spokesman for the bankers association.

Among the data that Framingham-based TJX has reported stolen include card expiration dates, as well as names, addresses and driver’s license numbers of customers who were returning merchandise without receipts.

“It wouldn’t have happened if they had not been storing data they shouldn’t have,” Spitzer said. “After a transaction is cleared, it shouldn’t be kept.”

A new standard

Credit card companies have begun to respond to heightened concern about security breaches by penalizing member retailers. In December, Visa said it will spend $20 million in incentives to make members’ banks compliant, and begin fining those banks up to $25,000 if large merchants aren’t compliant by the end of August and smaller merchants by year-end.

“It’s a relatively new standard and our membership has been working very hard to get up to speed,” said Liz Oesterle, government affairs counsel for the National Retail Federation.

But critics say Visa’s penalties don’t come close to covering banks’ losses. Issuing a new card costs up to $20 per card for some banks, and a data breach stemming back to July 2005 may have affected the card data of millions of customers.

Solutions

While technology has contributed to the spread of credit card fraud, it also offers potential solutions.

Security consultants are pitching upgraded monitoring programs for retailers designed to flag unauthorized releases of data, rather than the earlier emphasis on keeping out hackers.

“There’s a very telling shift between (monitoring) who’s getting in and what’s getting out,” said David Etue, senior security strategist for Fidelis Security Systems, a Bethesda, Md.-based electronic security company.

More than three-quarters of data breaches are caused by an existing employee, Etue said, either through malice or ignorance.

“Half of the violations are someone who doesn’t know any better and doesn’t realize they’re putting data at risk,” he said.

All of which has consumers such as Drew, the jewelry designer from Boston, wary about how they pay for their purchases.

“I’m very afraid of someone accessing my bank account other than the bank,” she said. “It’s really terrible. In the age of technology, every time you turn around someone’s hacking into somebody’s system. You almost want to go back to the old days of stuffing money in your mattress.”